<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta content="Cask Data, Inc." name="author" />
<meta content="Copyright © 2016-2017 Cask Data, Inc." name="copyright" />


    <meta name="git_release" content="6.1.1">
    <meta name="git_hash" content="05fbac36f9f7aadeb44f5728cea35136dbc243e5">
    <meta name="git_timestamp" content="2020-02-09 08:22:47 +0800">
    <title>Authorization</title>

    <link rel="stylesheet" href="../_static/cdap-bootstrap.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <link rel="stylesheet" href="../_static/bootstrap-3.3.6/css/bootstrap.min.css" type="text/css" />
    <link rel="stylesheet" href="../_static/bootstrap-3.3.6/css/bootstrap-theme.min.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/bootstrap-sphinx.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/cdap-dynamicscrollspy-4.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/jquery.mCustomScrollbar.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/cdap-jquery.mCustomScrollbar.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/abixTreeList-2.css" type="text/css" />
    <link rel="stylesheet" href="../_static/cdap-bootstrap.css" type="text/css" />

    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '',
        VERSION:     '6.1.1',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  false
      };
    </script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>

    <link rel="shortcut icon" href="../_static/favicon.ico"/>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="top" title="Cask Data Application Platform 6.1.1 Documentation" href="../index.html" />
    <link rel="up" title="Security" href="index.html" />
    <link rel="next" title="Impersonation" href="impersonation.html" />
    <link rel="prev" title="Perimeter Security" href="perimeter-security.html" />
    <!-- block extrahead -->
    <meta charset='utf-8'>
    <meta http-equiv='X-UA-Compatible' content='IE=edge,chrome=1'>
    <meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=1'>
    <meta name="apple-mobile-web-app-capable" content="yes">
    <!-- block extrahead end -->

</head>
<body role="document">

<!-- block navbar -->
<div id="navbar" class="navbar navbar-inverse navbar-default navbar-fixed-top">
    <div class="container-fluid">
      <div class="row">
        <div class="navbar-header">
          <!-- .btn-navbar is used as the toggle for collapsed navbar content -->
          <a class="navbar-brand" href="../table-of-contents/../../index.html">
            <span><img alt="CDAP logo" src="../_static/cdap_logo.svg"/></span>
          </a>

          <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".nav-collapse">
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </button>

          <div class="pull-right">
            <div class="dropdown version-dropdown">
              <a href="#" class="dropdown-toggle" data-toggle="dropdown"
                role="button" aria-haspopup="true" aria-expanded="false">
                v 6.1.1 <span class="caret"></span>
              </a>
              <ul class="dropdown-menu">
                <li><a href="//docs.cdap.io/cdap/5.1.2/en/index.html">v 5.1.2</a></li>
                <li><a href="//docs.cdap.io/cdap/4.3.4/en/index.html">v 4.3.4</a></li>
              </ul>
            </div>
          </div>
          <form class="navbar-form navbar-right navbar-search" action="../search.html" method="get">
            <div class="form-group">
              <div class="navbar-search-image material-icons"></div>
              <input type="text" name="q" class="form-control" placeholder="  Search" />
            </div>
            <input type="hidden" name="check_keywords" value="yes" />
            <input type="hidden" name="area" value="default" />
          </form>

          <div class="collapse navbar-collapse nav-collapse navbar-right navbar-navigation">
            <ul class="nav navbar-nav"><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../index.html">简介</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link current" href="../table-of-contents/../../guides.html">手册</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../reference-manual/index.html">参考</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../faqs/index.html">帮助</a></li>
            </ul>
          </div>

        </div>
      </div>
    </div>
  </div><!-- block navbar end -->
<!-- block main content -->
<div class="main-container container">
  <div class="row"><div class="col-md-2">
      <div id="sidebar" class="bs-sidenav scrollable-y-outside" role="complementary">
<!-- theme_manual: admin-manual -->
<!-- theme_manual_highlight: guides -->
<!-- sidebar_title_link: ../table-of-contents/../../guides.html -->

  <div role="note" aria-label="manuals links"><h3><a href="../table-of-contents/../../guides.html">Guides</a></h3>

    <ul class="this-page-menu">
      <li class="toctree-l1"><a href="../table-of-contents/../../user-guide/index.html" rel="nofollow">用户手册</a>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../developer-manual/index.html" rel="nofollow">开发手册</a>
      </li>
      <li class="toctree-l1"><b><a href="../table-of-contents/../../admin-manual/index.html" rel="nofollow">管理手册</a></b>
      <nav class="pagenav">
      <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../index.html"> Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="../cdap-components.html"> CDAP Components</a></li>
<li class="toctree-l1"><a class="reference internal" href="../deployment-architectures.html"> Deployment Architectures</a></li>
<li class="toctree-l1"><a class="reference internal" href="../hadoop-compatibility.html"> Hadoop Compatibility</a></li>
<li class="toctree-l1"><a class="reference internal" href="../cdap-hadoop-compatibility.html"> CDAP and Hadoop Compatibility</a></li>
<li class="toctree-l1"><a class="reference internal" href="../system-requirements.html"> System Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="../installation/index.html"> Installation</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../installation/cloudera.html">Cloudera Manager</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/emr.html">Amazon EMR</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/ambari.html">Apache Ambari</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/mapr.html">MapR</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/azure-hdinsight.html">Microsoft Azure HDInsight</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/packages.html">Packages</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/replication.html">Replication</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../incompatibilities.html"> Incompatibilities</a></li>
<li class="toctree-l1"><a class="reference internal" href="../upgrading/index.html"> Upgrading</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/cloudera.html">Cloudera Manager</a></li>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/ambari.html">Apache Ambari</a></li>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/mapr.html">MapR</a></li>
<li class="toctree-l2"><a class="reference internal" href="../upgrading/packages.html">Packages</a></li>
</ul>
</li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html"> Security</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="perimeter-security.html">Perimeter Security</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Authorization</a></li>
<li class="toctree-l2"><a class="reference internal" href="impersonation.html">Impersonation</a></li>
<li class="toctree-l2"><a class="reference internal" href="system-services.html">Enabling SSL for System Services</a></li>
<li class="toctree-l2"><a class="reference internal" href="secure-storage.html">Secure Storage</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../operations/index.html"> Operations</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../operations/logging.html"> Logging and Monitoring</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/metrics.html"> Metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/operations-dashboard.html"> Dashboard and Reports</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/preferences.html"> Preferences and Runtime Arguments</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/scaling-instances.html"> Scaling Instances</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/resource-guarantees.html"> Resource Guarantees in YARN</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/tx-maintenance.html"> Transaction Service Maintenance</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/cdap-ui.html"> CDAP UI</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../appendices/index.html"> Appendices</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../appendices/cdap-site.html"> Appendix: cdap-site.xml</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appendices/cdap-security.html"> Appendix: cdap-security.xml</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appendices/minimal-cdap-site.html"> Appendix: Minimal cdap-site.xml</a></li>
<li class="toctree-l2"><a class="reference internal" href="../appendices/hbase-ddl-executor.html"> Appendix: HBaseDDLExecutor</a></li>
</ul>
</li>
</ul>
</nav>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../integrations/index.html" rel="nofollow">集成手册</a>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../examples-manual/index.html" rel="nofollow">最佳实践</a>
      </li>
    </ul>
  </div></div>
    </div><div class="col-md-8 content" id="main-content">
    
  <div class="section" id="authorization">
<span id="admin-authorization"></span><h1>Authorization<a class="headerlink" href="#authorization" title="Permalink to this headline">🔗</a></h1>
<p>Authorization allows users to enforce fine-grained access control on CDAP entities:
namespaces, artifacts, applications, programs, datasets, streams, and secure keys. All
operations on these entities—listing, viewing, creating, updating, managing,
deleting—are governed by authorization policies.</p>
<div class="section" id="enabling-authorization">
<span id="security-enabling-authorization"></span><h2>Enabling Authorization<a class="headerlink" href="#enabling-authorization" title="Permalink to this headline">🔗</a></h2>
<p>To enable authorization in <span class="xref std std-term">Distributed CDAP</span>, add these
properties to <a class="reference internal" href="../appendices/cdap-site.html#appendix-cdap-default-security"><span class="std std-ref">cdap-site.xml</span></a>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Parameter</th>
<th class="head">Value</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.authorization.enabled</span></code></td>
<td>true</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">security.authorization.extension.jar.path</span></code></td>
<td>Absolute path of the JAR file to be used as the authorization extension. This file
must be present on the local file system of the CDAP Master. In an HA environment, it
should be present on the local file system of all CDAP Master hosts.</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">security.authorization.extension.extra.classpath</span></code> (Optional)</td>
<td>Extra classpath for security extension</td>
</tr>
</tbody>
</table>
<p>Authorization in CDAP only takes effect once <a class="reference internal" href="perimeter-security.html#admin-perimeter-security"><span class="std std-ref">perimeter security</span></a> is also enabled by setting <code class="docutils literal notranslate"><span class="pre">security.enabled</span></code> to <code class="docutils literal notranslate"><span class="pre">true</span></code>.
Additionally, Kerberos must be enabled on the cluster and for CDAP by setting
<code class="docutils literal notranslate"><span class="pre">kerberos.auth.enabled</span></code> to <code class="docutils literal notranslate"><span class="pre">true</span></code> since CDAP Authorization depends on Kerberos.</p>
<p>These additional properties can also be optionally modified to configure authorization:</p>
<ul class="simple">
<li><code class="docutils literal notranslate"><span class="pre">security.authorization.cache.max.entries</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">security.authorization.cache.ttl.secs</span></code></li>
</ul>
<p>Please refer to <a class="reference internal" href="../appendices/cdap-site.html#appendix-cdap-default-security"><span class="std std-ref">cdap-defaults.xml</span></a> for
documentation on these configuration settings.</p>
<p>Authorization in CDAP is implemented as <a class="reference external" href="../../../developer-manual/security/authorization-extensions.html#authorization-extensions" title="(in Cask Data Application Platform v6.1.1)"><span class="xref std std-ref">authorization extensions</span></a>. Apart from the above configuration settings, an extension may
require additional properties to be configured. Please see the documentation on
individual extensions for configuring properties specific to that extension:</p>
<ul class="simple">
<li><span class="xref std std-ref">Integrations: Apache Sentry</span></li>
<li><a class="reference external" href="https://github.com/cdapio/cdap-security-extn/wiki/CDAP-Ranger-Extension">Integrations: Apache Ranger</a></li>
</ul>
<p><a class="reference internal" href="../appendices/cdap-site.html#appendix-cdap-default-security"><span class="std std-ref">Security extension properties</span></a>, which are specified
in <code class="docutils literal notranslate"><span class="pre">cdap-site.xml</span></code>, begin with the prefix <code class="docutils literal notranslate"><span class="pre">security.authorization.extension.config</span></code>.</p>
<p>When CDAP is first started with authorization enabled, no users are granted privileges on
any CDAP entities. Without any privileges, CDAP will not be able to create the default namespace.
To create the default namespace, grant <em>ADMIN</em> on default namespace to the CDAP master user.
The default namespace will get created in several minutes automatically.</p>
</div>
<div class="section" id="authorization-policies">
<span id="security-authorization-policies"></span><h2>Authorization Policies<a class="headerlink" href="#authorization-policies" title="Permalink to this headline">🔗</a></h2>
<p>Currently, CDAP allows users to enforce authorization for <em>READ</em>, <em>WRITE</em>, <em>EXECUTE</em>, and
<em>ADMIN</em> operations.</p>
<p>In general, this summarizes the authorization policies in CDAP:</p>
<ul class="simple">
<li>A <strong>create</strong> operation on an entity requires <em>ADMIN</em> on the entity. The <em>ADMIN</em> privilege needs to be granted before
the entity can be created. For example, creating a namespace requires <em>ADMIN</em> on the namespace.</li>
<li>A <strong>read</strong> operation (such as reading from a dataset or a stream) on an entity requires
<em>READ</em> on the entity.</li>
<li>A <strong>write</strong> operation (such as writing to a dataset or a stream) on an entity requires
<em>WRITE</em> on the entity.</li>
<li>An <strong>admin</strong> operation (such as setting properties) on an entity requires <em>ADMIN</em> on
the entity.</li>
<li>A <strong>delete</strong> operation on an entity requires <em>ADMIN</em> on the entity. Note that if the deletion operation will delete
multiple entities, <em>ADMIN</em> is required on all the entities. For example, delete on a namespace requires <em>ADMIN</em> on
all entities in the namespace, and the namespace itself.</li>
<li>An <strong>execute</strong> operation on a program requires <em>EXECUTE</em> on the program.</li>
<li>A <strong>list</strong> or <strong>view</strong> operation (such as listing or searching applications, datasets, streams,
artifacts) only returns those entities that the logged-in user has at least one (<em>READ</em>,
<em>WRITE</em>, <em>EXECUTE</em>, <em>ADMIN</em>) privilege on or on any of its descendants.</li>
<li>A <strong>get</strong> operation on an entity (such as getting the dataset property, app detail) only succeeds if the user has
at least one (<em>READ</em>, <em>WRITE</em>, <em>EXECUTE</em>, <em>ADMIN</em>) privilege on it or any of its descendants.</li>
<li>Only admins of the authorization backend can grant or revoke the privileges.</li>
</ul>
<p>Additionally:</p>
<ul class="simple">
<li>Upon successful creation/deletion of an entity, the privileges remain unaffected.
It is the responsibility of the administrator to delete privileges from the authorization backend on entity deletion.
If the privileges are not deleted and the entity is recreated, the old privileges will be retained for the new entity</li>
<li>CDAP does <strong>not</strong> support hierarchical authorization enforcement, which means that privileges on each entity
are evaluated independently.</li>
</ul>
<p>Authorization policies for various CDAP operations are listed in the following tables. Policies for more complex operations
can be checked <a class="reference internal" href="#security-authorization-deploying-app"><span class="std std-ref">below</span></a>.</p>
<div class="section" id="namespaces">
<span id="security-authorization-policies-namespaces"></span><h3>Namespaces<a class="headerlink" href="#namespaces" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Operation</th>
<th class="head">Privileges Required</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Create</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>Update</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>Delete</td>
<td><em>ADMIN</em> on the namespace, and <em>ADMIN</em> on all entities in the namespace, note that lack of the privileges may
result in an inconsistent state for the namespace. Some entities may get cleaned up while entities with insufficient
privileges will remain.</td>
</tr>
<tr class="row-odd"><td>List/View</td>
<td>Only returns those namespaces which user has at least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em> on the
namespace or on any of its descendants</td>
</tr>
<tr class="row-even"><td>Get</td>
<td>At least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em> on the namespace or any of its descendants</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="artifacts">
<span id="security-authorization-policies-artifacts"></span><h3>Artifacts<a class="headerlink" href="#artifacts" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Operation</th>
<th class="head">Privileges Required</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Add</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>Add a property</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>Remove a property</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>Delete</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>List/View</td>
<td>Only returns those artifacts on which user has at least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>Get</td>
<td>At least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em></td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="applications">
<span id="security-authorization-policies-applications"></span><h3>Applications<a class="headerlink" href="#applications" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Operation</th>
<th class="head">Privileges Required</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Add</td>
<td><em>ADMIN</em> (on the application) and <em>ADMIN</em> (if adding new artifacts) or
any privileges(if using existing artifacts) on the artifact</td>
</tr>
<tr class="row-odd"><td>Delete</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>List/View</td>
<td>Only returns those applications which user has at least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em> on the
application or on any of its descendants</td>
</tr>
<tr class="row-odd"><td>Get</td>
<td>At least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em> on the application or any of its descendants</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="programs">
<span id="security-authorization-policies-programs"></span><h3>Programs<a class="headerlink" href="#programs" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Operation</th>
<th class="head">Privileges Required</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Start, Stop, or Debug</td>
<td><em>EXECUTE</em></td>
</tr>
<tr class="row-odd"><td>Set instances</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>Set runtime arguments</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>Retrieve runtime arguments</td>
<td>At least one of <em>READ, EXECUTE</em> or <em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>Retrieve status</td>
<td>At least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>List/View</td>
<td>Only returns those programs on which user has at least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>Get</td>
<td>At least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>Resume/Suspend schedule</td>
<td><em>EXECUTE</em> on the program</td>
</tr>
<tr class="row-even"><td>Add/Delete/Update schedule</td>
<td><em>ADMIN</em> on the application</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="datasets">
<span id="security-authorization-policies-datasets"></span><h3>Datasets<a class="headerlink" href="#datasets" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Operation</th>
<th class="head">Privileges Required</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Create</td>
<td><em>ADMIN</em> on the dataset and, for custom datasets, at least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em> on the
dataset type</td>
</tr>
<tr class="row-odd"><td>Read</td>
<td><em>READ</em></td>
</tr>
<tr class="row-even"><td>Write</td>
<td><em>WRITE</em></td>
</tr>
<tr class="row-odd"><td>Update</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>Upgrade</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>Truncate</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>Drop</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>List/View</td>
<td>Only returns those datasets on which user has at least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>Get</td>
<td>At least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em></td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="dataset-modules">
<span id="security-authorization-policies-dataset-modules"></span><h3>Dataset Modules<a class="headerlink" href="#dataset-modules" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Operation</th>
<th class="head">Privileges Required</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Deploy</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>Delete</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>Delete-all in the namespace</td>
<td><em>ADMIN</em> on all dataset modules in the namespace</td>
</tr>
<tr class="row-odd"><td>List/View</td>
<td>Only returns those dataset modules on which user has at least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>Get</td>
<td>At least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em></td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="dataset-types">
<span id="security-authorization-policies-dataset-types"></span><h3>Dataset Types<a class="headerlink" href="#dataset-types" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Operation</th>
<th class="head">Privileges Required</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>List/View</td>
<td>Only returns those dataset types on which user has at least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>Get</td>
<td>At least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em></td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="secure-keys">
<span id="security-authorization-policies-secure-keys"></span><h3>Secure Keys<a class="headerlink" href="#secure-keys" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Operation</th>
<th class="head">Privileges Required</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Create</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>READ the secure data</td>
<td><em>READ</em></td>
</tr>
<tr class="row-even"><td>Delete</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>List/View</td>
<td>Only returns those secure keys on which user has at least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em></td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="streams">
<span id="security-authorization-policies-streams"></span><h3>Streams<a class="headerlink" href="#streams" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Operation</th>
<th class="head">Privileges Required</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Create</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>Retrieving events</td>
<td><em>READ</em></td>
</tr>
<tr class="row-even"><td>Sending events to a stream (sync, async, or batch)</td>
<td><em>WRITE</em></td>
</tr>
<tr class="row-odd"><td>Drop</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>Drop-all in the namespace</td>
<td><em>ADMIN</em> on all streams in the namespace</td>
</tr>
<tr class="row-odd"><td>Update</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>Truncate</td>
<td><em>ADMIN</em></td>
</tr>
<tr class="row-odd"><td>List/View</td>
<td>Only returns those streams on which user has at least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em></td>
</tr>
<tr class="row-even"><td>Get</td>
<td>At least one of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em></td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="kerberos-principal">
<span id="security-authorization-policies-principal"></span><h3>Kerberos Principal<a class="headerlink" href="#kerberos-principal" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Operation</th>
<th class="head">Privileges Required</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Deploy an app to impersonate a kerberos principal</td>
<td><em>ADMIN</em> on the principal</td>
</tr>
<tr class="row-odd"><td>Create a namespace with owner prinicpal</td>
<td><em>ADMIN</em> on the principal</td>
</tr>
<tr class="row-even"><td>Create a dataset with owner prinicpal</td>
<td><em>ADMIN</em> on the principal</td>
</tr>
<tr class="row-odd"><td>Create a stream with owner prinicpal</td>
<td><em>ADMIN</em> on the principal</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="wildcard-privileges">
<span id="security-pre-grant-wildcard-privilege"></span><h2>Wildcard Privileges<a class="headerlink" href="#wildcard-privileges" title="Permalink to this headline">🔗</a></h2>
<p>Wildcard privileges can be used to simplify granting privileges on multiple entities.
Wildcards can be used in the entity name to grant or revoke actions on multiple entities.</p>
<ul class="simple">
<li><code class="docutils literal notranslate"><span class="pre">*</span></code> matches zero or more characters</li>
<li><code class="docutils literal notranslate"><span class="pre">?</span></code> matches a single character</li>
</ul>
<p>The following sections provide examples on granting wildcard privileges.</p>
<div class="section" id="sentry-integration">
<span id="security-sentry-integration"></span><h3>Sentry Integration<a class="headerlink" href="#sentry-integration" title="Permalink to this headline">🔗</a></h3>
<p><span class="xref std std-ref">CDAP CLI</span> can be used to grant or revoke the privileges for <span class="xref std std-ref">Integrations: Apache Sentry</span>.
Full list of commands are documented at <span class="xref std std-ref">security commands</span>.</p>
<p>Sentry only allows granting privileges to roles. Roles can then be assigned to groups.</p>
<ul>
<li><p class="first">To create a new role, use:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="o">&gt;</span> <span class="n">create</span> <span class="n">role</span> <span class="o">&lt;</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">&gt;</span>
</pre></div>
</div>
</li>
<li><p class="first">To grant/revoke privileges on an entity to a role, use:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="o">&gt;</span> <span class="n">grant</span> <span class="n">actions</span> <span class="o">&lt;</span><span class="n">actions</span><span class="o">&gt;</span> <span class="n">on</span> <span class="n">entity</span> <span class="o">&lt;</span><span class="n">entity</span><span class="o">&gt;</span> <span class="n">to</span> <span class="n">role</span> <span class="o">&lt;</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">&gt;</span>
<span class="o">&gt;</span> <span class="n">revoke</span> <span class="n">actions</span> <span class="o">&lt;</span><span class="n">actions</span><span class="o">&gt;</span> <span class="n">on</span> <span class="n">entity</span> <span class="o">&lt;</span><span class="n">entity</span><span class="o">&gt;</span> <span class="n">from</span> <span class="n">role</span> <span class="o">&lt;</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">&gt;</span>
</pre></div>
</div>
<p>where:</p>
<ul>
<li><p class="first"><code class="docutils literal notranslate"><span class="pre">&lt;actions&gt;</span></code> is a comma-separated list of privileges, any of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em>.</p>
</li>
<li><p class="first"><code class="docutils literal notranslate"><span class="pre">&lt;entity&gt;</span></code> is of the form <code class="docutils literal notranslate"><span class="pre">&lt;entity-type&gt;:&lt;entity-id&gt;</span></code></p>
<table border="1" class="docutils">
<colgroup>
<col width="28%" />
<col width="72%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Entity Type</th>
<th class="head">Entity Id</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">namespace</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;namespace&gt;:&lt;namespace-id&gt;</span></code></td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">application</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;namespace-id&gt;.&lt;app-id&gt;</span></code></td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">program</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;namespace-id&gt;.&lt;app-id&gt;.&lt;program-type&gt;.&lt;program-id&gt;</span></code></td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">dataset</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;namespace-id&gt;.&lt;dataset-id&gt;</span></code></td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">stream</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;namespace-id&gt;.&lt;stream-id&gt;</span></code></td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">artifact</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;namespace-id&gt;.&lt;artifact-id&gt;</span></code></td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">dataset_type</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;namespace-id&gt;.&lt;dataset-type-id&gt;</span></code></td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">dataset_module</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;namespace-id&gt;.&lt;dataset-module-id&gt;</span></code></td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">securekey</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;namespace-id&gt;.&lt;secure-key-id&gt;</span></code></td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">kerberosprincipal</span></code></td>
<td><code class="docutils literal notranslate"><span class="pre">&lt;kerberos-principal-id&gt;</span></code></td>
</tr>
</tbody>
</table>
</li>
<li><p class="first"><code class="docutils literal notranslate"><span class="pre">program-type</span></code> is one of:
<code class="docutils literal notranslate"><span class="pre">flow</span></code>, <code class="docutils literal notranslate"><span class="pre">mapreduce</span></code>, <code class="docutils literal notranslate"><span class="pre">service</span></code>, <code class="docutils literal notranslate"><span class="pre">spark</span></code>, <code class="docutils literal notranslate"><span class="pre">worker</span></code>, or <code class="docutils literal notranslate"><span class="pre">workflow</span></code>.</p>
</li>
<li><p class="first">Wildcards can be used in the entity name to grant privileges on multiple entities. For example,</p>
<ul class="simple">
<li><code class="docutils literal notranslate"><span class="pre">namespace:ns*</span></code> represents all the namespaces that start with <code class="docutils literal notranslate"><span class="pre">ns</span></code>.</li>
<li><code class="docutils literal notranslate"><span class="pre">namespace:ns?</span></code> represents all the namespaces that start with <code class="docutils literal notranslate"><span class="pre">ns</span></code> and followed by a single character.</li>
<li><code class="docutils literal notranslate"><span class="pre">program:ns1.app1.*</span></code> represents all the programs in the application <code class="docutils literal notranslate"><span class="pre">app1</span></code>, in the namespace <code class="docutils literal notranslate"><span class="pre">ns1</span></code>.</li>
</ul>
</li>
</ul>
</li>
<li><p class="first">To add the role to a group, use:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="o">&gt;</span> <span class="n">add</span> <span class="n">role</span> <span class="o">&lt;</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">&gt;</span> <span class="n">to</span> <span class="n">group</span> <span class="o">&lt;</span><span class="n">group</span><span class="o">-</span><span class="n">name</span><span class="o">&gt;</span>
</pre></div>
</div>
</li>
<li><p class="first">To check the results, list the privileges for a principal:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="o">&gt;</span> <span class="n">list</span> <span class="n">privileges</span> <span class="k">for</span> <span class="o">&lt;</span><span class="n">principal</span><span class="o">-</span><span class="n">type</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="n">principal</span><span class="o">-</span><span class="n">name</span><span class="o">&gt;</span>
</pre></div>
</div>
<p>where <code class="docutils literal notranslate"><span class="pre">&lt;principal-type&gt;</span></code> can be <code class="docutils literal notranslate"><span class="pre">user</span></code>, <code class="docutils literal notranslate"><span class="pre">group</span></code> or <code class="docutils literal notranslate"><span class="pre">role</span></code>.</p>
</li>
</ul>
<p><strong>Example</strong></p>
<p>To give <code class="docutils literal notranslate"><span class="pre">alice</span></code> (who belongs to group <code class="docutils literal notranslate"><span class="pre">admin</span></code>), <em>ADMIN</em> privilege on namespace <code class="docutils literal notranslate"><span class="pre">ns1</span></code>, and all the
entities in the namespace, do the following:</p>
<ul class="simple">
<li>create a new role <code class="docutils literal notranslate"><span class="pre">ns1_administrator</span></code></li>
<li>grant the role <code class="docutils literal notranslate"><span class="pre">ns1_administrator</span></code> <em>ADMIN</em> on these entities:<ul>
<li><code class="docutils literal notranslate"><span class="pre">namespace:ns1</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">application:ns1.*</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">program:ns1.*.*</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">artifact:ns1.*</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">dataset:ns1.*</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">stream:ns1.*</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">dataset_type:ns1.*</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">dataset_module:ns1.*</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">securekey:ns1.*</span></code></li>
</ul>
</li>
<li>add role <code class="docutils literal notranslate"><span class="pre">ns1_administrator</span></code> to group <code class="docutils literal notranslate"><span class="pre">admin</span></code></li>
</ul>
<p><strong>Note:</strong></p>
<ul class="simple">
<li>Only users in Sentry admin group can grant/revoke the privileges. Groups can be added to or removed from the Sentry
admin group by updating the property <code class="docutils literal notranslate"><span class="pre">sentry.service.admin.group</span></code> in the Sentry configuration.</li>
<li>CDAP fetches roles/privileges from Sentry to enforce the authorization policy. Since only users in Sentry admin group
can fetch roles from Sentry, CDAP will need to be added as a Sentry admin. CDAP can be configured to use a different
group to fetch roles by changing <code class="docutils literal notranslate"><span class="pre">security.authorization.extension.config.sentry.admin.group</span></code> in CDAP configuration.</li>
<li>CDAP caches privileges fetched from Sentry to improve performance. Any update to the privileges will be reflected
in CDAP after the cache timeout. By default, the cache timeout is 10 minutes. This value can be changed by
modifying the value of <code class="docutils literal notranslate"><span class="pre">security.authorization.cache.ttl.secs</span></code> in CDAP configuration.</li>
</ul>
</div>
<div class="section" id="ranger-integration">
<span id="security-ranger-integration"></span><h3>Ranger Integration<a class="headerlink" href="#ranger-integration" title="Permalink to this headline">🔗</a></h3>
<p>CDAP Policies can be managed for <span class="xref std std-ref">Integrations: Apache Ranger</span> just like other Ranger service
policies. Please read the <a class="reference external" href="https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide">Ranger
documentation</a>
on Policy management to learn more.</p>
<p>CDAP Ranger Plugin allows to grant policies on mid-level entities in
CDAP entity hierarchy by specifying <code class="docutils literal notranslate"><span class="pre">*</span></code> for lower level and marking
them as <code class="docutils literal notranslate"><span class="pre">exclude</span></code>. For example the below screenshot shows the policy
on <code class="docutils literal notranslate"><span class="pre">namespace:default</span></code>. Notice that the value for <code class="docutils literal notranslate"><span class="pre">application</span></code> and
<code class="docutils literal notranslate"><span class="pre">program</span></code> are <code class="docutils literal notranslate"><span class="pre">*</span></code> and they are marked as <code class="docutils literal notranslate"><span class="pre">exclude</span></code>.</p>
<img alt="../_images/policy_management.png" class="align-center" src="../_images/policy_management.png" />
</div>
</div>
<div class="section" id="operations-that-require-multiple-privileges">
<span id="security-authorization-policies-complex-operations"></span><h2>Operations that require multiple privileges<a class="headerlink" href="#operations-that-require-multiple-privileges" title="Permalink to this headline">🔗</a></h2>
<p>Some operations will require multiple privileges. For example, deploying an application can create streams and datasets
during the application deployment. In this case, privileges are required for all the entities that will get created.
Wildcard policies will be helpful to manage the privileges in these cases. Detailed authorization policies for some
operations that require multiple privileges are listed below.</p>
<p>Typically, admins use namespace level privileges to manage authorization. Users granted access to a namespace will be
granted all privileges to all entities in the namespace. In such a case the following granular policies for deploying
an application and creating various entities are not required.</p>
<div class="section" id="deploy-application">
<span id="security-authorization-deploying-app"></span><h3>Deploy Application<a class="headerlink" href="#deploy-application" title="Permalink to this headline">🔗</a></h3>
<p>The privileges required to deploy an application can vary based on various conditions, like whether the application
has impersonation enabled, etc. In general, the user deploying the application (the requesting user) always needs
<em>ADMIN</em> privilege on the application. In addition, the requesting user and the impersonating user may need additional
privileges. The following table lists the privileges needed to deploy an application under various conditions.</p>
<table border="1" class="docutils">
<colgroup>
<col width="16%" />
<col width="42%" />
<col width="42%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head" rowspan="2">Action</th>
<th class="head" colspan="2">Privilege Required</th>
</tr>
<tr class="row-even"><th class="head">Requesting User</th>
<th class="head">Impersonating User</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-odd"><td>&#160;</td>
<td><em>ADMIN</em> on the application</td>
<td>&#160;</td>
</tr>
<tr class="row-even"><td>Deploying the app with a jar</td>
<td><em>ADMIN</em> on the artifact (use the jar name as the artifact id)</td>
<td>&#160;</td>
</tr>
<tr class="row-odd"><td>Deploying the app using an existing artifact</td>
<td>Any privilege of <em>READ, WRITE, EXECUTE,</em> or <em>ADMIN</em> on the artifact</td>
<td>&#160;</td>
</tr>
<tr class="row-even"><td colspan="3"><strong>No impersonation</strong></td>
</tr>
<tr class="row-odd"><td>Creating a dataset</td>
<td><em>ADMIN</em> on the dataset</td>
<td>&#160;</td>
</tr>
<tr class="row-even"><td>Creating a stream</td>
<td><em>ADMIN</em> on the stream</td>
<td>&#160;</td>
</tr>
<tr class="row-odd"><td>Creating a custom dataset during deployment</td>
<td><em>ADMIN</em> on the new dataset module and type (use the full class name of the custom dataset as the module id and type id)</td>
<td>&#160;</td>
</tr>
<tr class="row-even"><td>Creating a custom dataset
using an existing custom dataset type</td>
<td><em>ADMIN</em> on the existing dataset module and type</td>
<td>&#160;</td>
</tr>
<tr class="row-odd"><td colspan="3"><strong>With impersonation</strong></td>
</tr>
<tr class="row-even"><td>&#160;</td>
<td><em>ADMIN</em> on the kerberos principal of the impersonated user</td>
<td>&#160;</td>
</tr>
<tr class="row-odd"><td>Creating a dataset</td>
<td>&#160;</td>
<td><em>ADMIN</em> on the dataset</td>
</tr>
<tr class="row-even"><td>Creating a stream</td>
<td>&#160;</td>
<td><em>ADMIN</em> on the stream</td>
</tr>
<tr class="row-odd"><td>Creating a custom dataset during deployment</td>
<td>&#160;</td>
<td><em>ADMIN</em> on the new dataset module and type (use the full class name of the custom dataset as the module id and type id)</td>
</tr>
<tr class="row-even"><td>Creating a custom dataset
using an existing custom dataset type</td>
<td>&#160;</td>
<td><em>ADMIN</em> on the existing dataset module and type</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="execute-programs-hydrator-pipelines">
<span id="security-authorization-executing-programs"></span><h3>Execute Programs/Hydrator Pipelines<a class="headerlink" href="#execute-programs-hydrator-pipelines" title="Permalink to this headline">🔗</a></h3>
<p>To execute a program or a pipeline, the requesting user will need <em>EXECUTE</em> privilege on it. If there is no impersonation,
the program will run (the executing user) as the CDAP master user. If impersonation is involved, the program will run
as the impersonated user.</p>
<p>Privileges required by the requesting user:</p>
<table border="1" class="docutils">
<colgroup>
<col width="33%" />
<col width="67%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Condition</th>
<th class="head">Privilege Required</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Execute a program</td>
<td><em>EXECUTE</em> on the program</td>
</tr>
<tr class="row-odd"><td>Execute a hydrator pipeline</td>
<td><em>EXECUTE</em> on the pipeline (application) name—<code class="docutils literal notranslate"><span class="pre">program:&lt;namespace-id&gt;.&lt;pipeline-name&gt;.*</span></code></td>
</tr>
</tbody>
</table>
<p>Privileges required by the executing user:</p>
<table border="1" class="docutils">
<colgroup>
<col width="33%" />
<col width="67%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Condition</th>
<th class="head">Privilege Required</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>READ from existing streams and datasets</td>
<td><em>READ</em> on the streams and datasets</td>
</tr>
<tr class="row-odd"><td>WRITE to existing streams and datasets</td>
<td><em>WRITE</em> on the streams and datasets</td>
</tr>
<tr class="row-even"><td>Creating datasets</td>
<td><em>ADMIN</em> on the datasets</td>
</tr>
<tr class="row-odd"><td>Creating local datasets, READ/WRITE on local datasets</td>
<td><em>ADMIN</em>, <em>READ</em>/<em>WRITE</em> on local dataset name—<code class="docutils literal notranslate"><span class="pre">dataset:&lt;namespace-id&gt;.&lt;local-dataset-id&gt;*</span></code></td>
</tr>
<tr class="row-even"><td>Accessing external source/sink, i.e, accessing datasets outside CDAP (only for hydrator pipelines)</td>
<td><em>ADMIN</em>, <em>READ</em> and <em>WRITE</em> on the external datasets. The name of the external dataset will be same
as the reference name of the source/sink—<code class="docutils literal notranslate"><span class="pre">dataset:&lt;namespace-id&gt;.&lt;reference-name&gt;</span></code></td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="enable-dataprep-service">
<span id="security-authorization-enable-dataprep"></span><h3>Enable DataPrep Service<a class="headerlink" href="#enable-dataprep-service" title="Permalink to this headline">🔗</a></h3>
<p>To enable the DataPrep service, the following privileges are needed:</p>
<blockquote>
<div><ul>
<li><p class="first">Requesting user: <em>EXECUTE</em> on entity <code class="docutils literal notranslate"><span class="pre">program:&lt;namespace-id&gt;.dataprep.service.service</span></code></p>
</li>
<li><dl class="first docutils">
<dt>Without impersonation:</dt>
<dd><ul class="first last simple">
<li>Requesting user: <em>ADMIN</em> on entities<ul>
<li><code class="docutils literal notranslate"><span class="pre">dataset:&lt;namespace-id&gt;.workspace</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">dataset:&lt;namespace-id&gt;.dataprep</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">dataset:&lt;namespace-id&gt;.dataprepfs</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">dataset_type:&lt;namespace-id&gt;.*WorkspaceDataset</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">dataset_module:&lt;namespace-id&gt;.*WorkspaceDataset</span></code></li>
</ul>
</li>
<li>CDAP master user: <em>READ</em>, <em>WRITE</em> on entities<ul>
<li><code class="docutils literal notranslate"><span class="pre">dataset:&lt;namespace-id&gt;.workspace</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">dataset:&lt;namespace-id&gt;.dataprep</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">dataset:&lt;namespace-id&gt;.dataprepfs</span></code></li>
</ul>
</li>
</ul>
</dd>
</dl>
</li>
<li><dl class="first docutils">
<dt>With impersonation:</dt>
<dd><ul class="first last simple">
<li>Impersonating user: <em>ADMIN</em>, <em>READ</em> and <em>WRITE</em> on entities<ul>
<li><code class="docutils literal notranslate"><span class="pre">dataset:&lt;namespace-id&gt;.workspace</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">dataset:&lt;namespace-id&gt;.dataprep</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">dataset:&lt;namespace-id&gt;.dataprepfs</span></code></li>
</ul>
</li>
<li>Impersonating user: <em>ADMIN</em> on entities<ul>
<li><code class="docutils literal notranslate"><span class="pre">dataset_type:&lt;namespace-id&gt;.*WorkspaceDataset</span></code></li>
<li><code class="docutils literal notranslate"><span class="pre">dataset_module:&lt;namespace-id&gt;.*WorkspaceDataset</span></code></li>
</ul>
</li>
</ul>
</dd>
</dl>
</li>
</ul>
</div></blockquote>
</div>
</div>
<div class="section" id="differences-between-new-and-old-model">
<span id="security-differences-between-new-and-old-model"></span><h2>Differences Between New and Old Model<a class="headerlink" href="#differences-between-new-and-old-model" title="Permalink to this headline">🔗</a></h2>
<p>CDAP has migrated to the new auth model in 4.3 and old auth model will not work. The detailed new authorization policy
can be checked <a class="reference internal" href="#security-authorization-policies"><span class="std std-ref">above</span></a>.</p>
<dl class="docutils">
<dt>In general, this summarizes the authorization policies change in CDAP:</dt>
<dd><ul class="first last simple">
<li>No hierarchical authorization enforcement is supported, which means having a privilege on an entity’s parent does
not give that privilege on the entity. For example, having <em>READ</em> on the namespace does not give <em>READ</em> to
the datasets and streams in the namespace.</li>
<li>No authorization bootstrap, no privileges on instance and no admin users. The new model removes the requirement
of privileges on CDAP instance and admin users. Each privilege needs to be pre-granted to create the entity
either through CDAP CLI or through an external interface of the supported authorization extension.</li>
<li>Automatic grant on entity creation and automatic revoke on entity deletion are removed. It is the responsibility
of the administrator to create and delete privileges.</li>
</ul>
</dd>
</dl>
</div>
<div class="section" id="authorization-policy-pushdown">
<span id="security-auth-policy-pushdown"></span><h2>Authorization Policy Pushdown<a class="headerlink" href="#authorization-policy-pushdown" title="Permalink to this headline">🔗</a></h2>
<p>Currently, CDAP does not support the pushing of authorization policy grants and revokes to
<span class="xref std std-term">storage providers</span>. As a result, when a user is granted <em>READ</em>
or <em>WRITE</em> access on existing datasets or streams, permissions are not updated in the
storage providers. The same applies when authorization policies are revoked.</p>
<p>A newly-applied authorization policy will be enforced when the dataset or stream is
accessed from CDAP, but not when it is accessed directly in the storage provider. If the
pushdown of permissions to storage providers is desired, it needs to be done manually.
This will be done automatically in a future release of CDAP.</p>
<p>This limitation has a larger implication when <a class="reference external" href="../../../developer-manual/building-blocks/datasets/overview.html#cross-namespace-dataset-access" title="(in Cask Data Application Platform v6.1.1)"><span class="xref std std-ref">Cross-namespace Dataset Access</span></a> is used. When accessing a dataset from a different
namespace, CDAP currently presumes that the user accessing the dataset has been granted
permissions on the dataset in the storage provider prior to accessing the dataset from
CDAP.</p>
<p>For example, if a program in the namespace <em>ns1</em> tries to access a <span class="xref std std-term">fileset</span> in the
namespace <em>ns2</em>, the user running the program should be granted the appropriate (<em>READ</em>,
<em>WRITE</em>, or both) privileges on the fileset. Additionally, the user needs to be granted
appropriate permissions on the HDFS directory that the fileset points to. When
<a class="reference internal" href="impersonation.html#admin-impersonation"><span class="std std-ref">impersonation</span></a> is used in the program’s namespace, this user
is the impersonated user, otherwise it is the user that the CDAP Master runs as.</p>
</div>
</div>

</div>
    <div class="col-md-2">
      <div id="right-sidebar" class="bs-sidenav scrollable-y" role="complementary">
        <div id="localtoc-scrollspy">
        </div>
      </div>
    </div></div>
</div>
<!-- block main content end -->
<!-- block footer -->
<footer class="footer">
      <div class="container">
        <div class="row">
          <div class="col-md-2 footer-left"><a title="Perimeter Security" href="perimeter-security.html" />Previous</a></div>
          <div class="col-md-8 footer-center"><a class="footer-tab-link" href="../table-of-contents/../../reference-manual/licenses/index.html">Copyright</a> &copy; 2014-2020 Cask Data, Inc.&bull; <a class="footer-tab-link" href="//docs.cask.co/cdap/6.1.1/cdap-docs-6.1.1-web.zip" rel="nofollow">Download</a> an archive or
<a class="footer-tab-link" href="//docs.cask.co/cdap">switch the version</a> of the documentation
          </div>
          <div class="col-md-2 footer-right"><a title="Impersonation" href="impersonation.html" />Next</a></div>
        </div>
      </div>
    </footer>
<!-- block footer end -->
<script type="text/javascript" src="../_static/bootstrap-3.3.6/js/bootstrap.min.js"></script><script type="text/javascript" src="../_static/js/bootstrap-sphinx.js"></script><script type="text/javascript" src="../_static/js/abixTreeList-2.js"></script><script type="text/javascript" src="../_static/js/cdap-dynamicscrollspy-4.js"></script><script type="text/javascript" src="../_static/js/cdap-version-menu.js"></script><script type="text/javascript" src="../_static/js/copy-to-clipboard.js"></script><script type="text/javascript" src="../_static/js/jquery.mousewheel.min.js"></script><script type="text/javascript" src="../_static/js/jquery.mCustomScrollbar.js"></script><script type="text/javascript" src="../_static/js/js.cookie.js"></script><script type="text/javascript" src="../_static/js/tabbed-parsed-literal-0.2.js"></script><script type="text/javascript" src="../_static/js/cdap-onload-javascript.js"></script><script type="text/javascript" src="../_static/js/cdap-version-menu.js"></script>
    <script src="https://cdap.gitee.io/docs/cdap/json-versions.js"/></script>
  </body>
</html>